Security
All GET/POST form values go into %FORM into BML, but check LJ::did_post() on critical actions. GET requests can be easily spoofed, or hidden in images, etc.
Never read in arbitrary amounts of input
Never use unsanitized data in a command or SQL